[keycloak-user] Bearer token expiration question

Eric Wittmann eric.wittmann at redhat.com
Tue Jan 28 15:31:59 EST 2014 

Thanks for the response Bill.  This is great news (both that it's on the 
roadmap and that I'm not[1] an idiot).

Let me know if I can help with testing.  There's a new project starting 
up in JBoss Overlord that I'm in the process of bootstrapping now.  I'm 
going to design it with this approach in mind (Javascript client making 
REST calls directly to an API that is separate from the webapp that 
served up the JS).  So I'm happy to be an early adopter/tester.

-Eric

[1] necessarily

On 1/28/2014 3:11 PM, Bill Burke wrote:
> You're not missing something obvious.  We need to add refresh tokens
> that can be held by the HTTP session or the Javascript client so a new
> access token can be obtained.  There's also some work still to be done
> to smooth out Javascript only clients that are servered up via static pages.
>
>
> On 1/28/2014 2:21 PM, Eric Wittmann wrote:
>> First of all, Keycloak looks great - the alpha release is a very nice start!
>>
>> I have a question about bearer token expiration.  Take the included
>> product portal example.  It is configured to use Keycloak for SSO, which
>> allows the user to access the product listing page.  That listing page
>> uses the current SkeletonKeySession's token as the Bearer token when
>> invoking the database/products REST endpoint.  This makes sense to me,
>> but one interesting thing happens - that token eventually times out.
>> Once that happens all calls to the REST endpoint fail.
>>
>> Note that this occurs even if the user refreshes that product listing
>> page.  The timeout is from login, not from the last activity (like an
>> http session timeout would be).
>>
>> So in this scenario, how is the product page supposed to get a new token
>> when the old one expires?
>>
>> This becomes even more relevant if the UI is not a JSP but is instead a
>> JavaScript app (e.g. angular, GWT, etc).  I was thinking that I would
>> need to pass the token to the client layer, which would then allow me to
>> make authenticated REST calls directly from the Client/JavaScript layer
>> to a REST API.  That would be a great separation, but obviously the user
>> should not get logged out after N minutes despite actively using the app
>> during that time.
>>
>> I'm probably missing something obvious... :)
>>
>> -Eric
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list